- Allow svirt_t to stream_connect to virtd_t
This commit is contained in:
parent
947b439e10
commit
4c8c1814a9
240
policy-F12.patch
240
policy-F12.patch
@ -4272,7 +4272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.26/policy/modules/kernel/devices.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.26/policy/modules/kernel/devices.fc
|
||||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-07-30 15:33:08.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-08-03 06:30:31.000000000 -0400
|
||||||
@@ -47,8 +47,10 @@
|
@@ -47,8 +47,10 @@
|
||||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||||
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
||||||
@ -4284,9 +4284,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||||
|
@@ -82,6 +84,7 @@
|
||||||
|
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||||
|
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
+/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0)
|
||||||
|
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||||
|
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
|
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-07-30 15:33:08.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-03 06:30:19.000000000 -0400
|
||||||
@@ -1655,6 +1655,78 @@
|
@@ -1655,6 +1655,78 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -4428,7 +4436,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the lvm comtrol device.
|
## Read the lvm comtrol device.
|
||||||
@@ -2268,6 +2395,25 @@
|
@@ -2232,6 +2359,24 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Read and write the the wireless device.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`dev_rw_wireless',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type device_t, wireless_device_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ rw_chr_files_pattern($1, device_t, wireless_device_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Get the attributes of the null device nodes.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -2268,6 +2413,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -4456,7 +4489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.26/policy/modules/kernel/devices.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.26/policy/modules/kernel/devices.te
|
||||||
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.te 2009-07-30 15:33:08.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/kernel/devices.te 2009-08-03 06:30:00.000000000 -0400
|
||||||
@@ -84,6 +84,13 @@
|
@@ -84,6 +84,13 @@
|
||||||
dev_node(kmsg_device_t)
|
dev_node(kmsg_device_t)
|
||||||
|
|
||||||
@ -4484,9 +4517,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Type for /dev/mapper/control
|
# Type for /dev/mapper/control
|
||||||
#
|
#
|
||||||
type lvm_control_t;
|
type lvm_control_t;
|
||||||
|
@@ -224,6 +237,12 @@
|
||||||
|
type watchdog_device_t;
|
||||||
|
dev_node(watchdog_device_t)
|
||||||
|
|
||||||
|
+#
|
||||||
|
+# wireless control devices
|
||||||
|
+#
|
||||||
|
+type wireless_device_t;
|
||||||
|
+dev_node(wireless_device_t)
|
||||||
|
+
|
||||||
|
type xen_device_t;
|
||||||
|
dev_node(xen_device_t)
|
||||||
|
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-07-30 15:33:08.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-08-03 08:04:07.000000000 -0400
|
||||||
@@ -44,34 +44,6 @@
|
@@ -44,34 +44,6 @@
|
||||||
interface(`domain_type',`
|
interface(`domain_type',`
|
||||||
# start with basic domain
|
# start with basic domain
|
||||||
@ -8774,7 +8820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.26/policy/modules/services/bluetooth.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.26/policy/modules/services/bluetooth.te
|
||||||
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-07-23 14:11:04.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-07-23 14:11:04.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te 2009-07-30 15:33:08.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te 2009-08-03 06:30:22.000000000 -0400
|
||||||
@@ -64,6 +64,7 @@
|
@@ -64,6 +64,7 @@
|
||||||
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
|
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
|
||||||
@ -8783,6 +8829,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
|
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
|
||||||
|
|
||||||
|
@@ -111,6 +112,7 @@
|
||||||
|
dev_rw_generic_usb_dev(bluetooth_t)
|
||||||
|
dev_read_urand(bluetooth_t)
|
||||||
|
dev_rw_input_dev(bluetooth_t)
|
||||||
|
+dev_rw_wireless(bluetooth_t)
|
||||||
|
|
||||||
|
fs_getattr_all_fs(bluetooth_t)
|
||||||
|
fs_search_auto_mountpoints(bluetooth_t)
|
||||||
|
@@ -154,6 +156,10 @@
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
+ networkmanager_dbus_chat(bluetooth_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
pulseaudio_dbus_chat(bluetooth_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.26/policy/modules/services/certmaster.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.26/policy/modules/services/certmaster.te
|
||||||
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/certmaster.te 2009-07-30 15:33:08.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/certmaster.te 2009-07-30 15:33:08.000000000 -0400
|
||||||
@ -11092,17 +11157,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.26/policy/modules/services/mysql.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.26/policy/modules/services/mysql.te
|
||||||
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/mysql.te 2009-07-30 15:33:09.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/mysql.te 2009-08-03 08:06:57.000000000 -0400
|
||||||
@@ -136,6 +136,8 @@
|
@@ -136,7 +136,12 @@
|
||||||
|
|
||||||
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
||||||
|
|
||||||
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
|
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
|
||||||
+
|
+
|
||||||
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
|
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
|
||||||
|
+
|
||||||
|
+domain_getattr_all_domains(mysqld_safe_t)
|
||||||
|
+
|
||||||
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||||
|
|
||||||
@@ -152,7 +154,7 @@
|
kernel_read_system_state(mysqld_safe_t)
|
||||||
|
@@ -152,7 +157,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(mysqld_safe_t)
|
miscfiles_read_localization(mysqld_safe_t)
|
||||||
|
|
||||||
@ -12408,7 +12477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.26/policy/modules/services/policykit.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.26/policy/modules/services/policykit.if
|
||||||
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-07-30 15:33:09.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-08-03 06:44:10.000000000 -0400
|
||||||
@@ -17,6 +17,8 @@
|
@@ -17,6 +17,8 @@
|
||||||
class dbus send_msg;
|
class dbus send_msg;
|
||||||
')
|
')
|
||||||
@ -12418,7 +12487,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow $1 policykit_t:dbus send_msg;
|
allow $1 policykit_t:dbus send_msg;
|
||||||
allow policykit_t $1:dbus send_msg;
|
allow policykit_t $1:dbus send_msg;
|
||||||
')
|
')
|
||||||
@@ -167,7 +169,7 @@
|
@@ -41,7 +43,6 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Execute a policy_auth in the policy_auth domain, and
|
||||||
|
## allow the specified role the policy_auth domain,
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
@@ -167,7 +168,7 @@
|
||||||
|
|
||||||
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
|
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
|
||||||
|
|
||||||
@ -12427,7 +12504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -206,4 +208,30 @@
|
@@ -206,4 +207,47 @@
|
||||||
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
|
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
|
||||||
@ -12457,10 +12534,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ policykit_read_lib($2)
|
+ policykit_read_lib($2)
|
||||||
+ policykit_read_reload($2)
|
+ policykit_read_reload($2)
|
||||||
+ policykit_dbus_chat($2)
|
+ policykit_dbus_chat($2)
|
||||||
|
+')
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send generic signal to policy_auth
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`policykit_signal_auth',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type policykit_auth_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 policykit_auth_t:process signal;
|
||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
|
||||||
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-07-30 15:33:09.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-03 06:50:17.000000000 -0400
|
||||||
@@ -38,9 +38,10 @@
|
@@ -38,9 +38,10 @@
|
||||||
|
|
||||||
allow policykit_t self:capability { setgid setuid };
|
allow policykit_t self:capability { setgid setuid };
|
||||||
@ -12500,7 +12594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# polkit_auth local policy
|
# polkit_auth local policy
|
||||||
@@ -77,7 +89,8 @@
|
@@ -77,12 +89,15 @@
|
||||||
|
|
||||||
allow policykit_auth_t self:capability setgid;
|
allow policykit_auth_t self:capability setgid;
|
||||||
allow policykit_auth_t self:process getattr;
|
allow policykit_auth_t self:process getattr;
|
||||||
@ -12510,27 +12604,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
|
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
|
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
@@ -104,6 +117,8 @@
|
+policykit_dbus_chat(policykit_auth_t)
|
||||||
|
+
|
||||||
|
can_exec(policykit_auth_t, policykit_auth_exec_t)
|
||||||
|
-corecmd_search_bin(policykit_auth_t)
|
||||||
|
+corecmd_exec_bin(policykit_auth_t)
|
||||||
|
|
||||||
|
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
|
||||||
|
|
||||||
|
@@ -104,6 +119,7 @@
|
||||||
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
|
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
|
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
|
||||||
+
|
|
||||||
dbus_session_bus_client(policykit_auth_t)
|
dbus_session_bus_client(policykit_auth_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -116,6 +131,10 @@
|
@@ -116,6 +132,13 @@
|
||||||
hal_read_state(policykit_auth_t)
|
hal_read_state(policykit_auth_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ xserver_stream_connect(policykit_auth_t)
|
||||||
+ xserver_xdm_append_log(policykit_auth_t)
|
+ xserver_xdm_append_log(policykit_auth_t)
|
||||||
|
+ xserver_read_xdm_pid(policykit_auth_t)
|
||||||
|
+ xserver_search_xdm_lib(policykit_auth_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# polkit_grant local policy
|
# polkit_grant local policy
|
||||||
@@ -123,7 +142,8 @@
|
@@ -123,7 +146,8 @@
|
||||||
|
|
||||||
allow policykit_grant_t self:capability setuid;
|
allow policykit_grant_t self:capability setuid;
|
||||||
allow policykit_grant_t self:process getattr;
|
allow policykit_grant_t self:process getattr;
|
||||||
@ -12540,7 +12644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
@@ -153,9 +173,12 @@
|
@@ -153,9 +177,12 @@
|
||||||
userdom_read_all_users_state(policykit_grant_t)
|
userdom_read_all_users_state(policykit_grant_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -12554,7 +12658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
consolekit_dbus_chat(policykit_grant_t)
|
consolekit_dbus_chat(policykit_grant_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
@@ -167,7 +190,8 @@
|
@@ -167,7 +194,8 @@
|
||||||
|
|
||||||
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
||||||
allow policykit_resolve_t self:process getattr;
|
allow policykit_resolve_t self:process getattr;
|
||||||
@ -13686,8 +13790,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.26/policy/modules/services/ricci.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.26/policy/modules/services/ricci.te
|
||||||
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-07-23 14:11:04.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-07-23 14:11:04.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/ricci.te 2009-07-30 15:33:09.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/ricci.te 2009-08-03 07:21:27.000000000 -0400
|
||||||
@@ -440,6 +440,10 @@
|
@@ -264,6 +264,7 @@
|
||||||
|
allow ricci_modclusterd_t self:socket create_socket_perms;
|
||||||
|
|
||||||
|
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
|
||||||
|
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
|
||||||
|
|
||||||
|
# log files
|
||||||
|
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
|
||||||
|
@@ -440,6 +441,10 @@
|
||||||
files_read_usr_files(ricci_modstorage_t)
|
files_read_usr_files(ricci_modstorage_t)
|
||||||
files_read_kernel_modules(ricci_modstorage_t)
|
files_read_kernel_modules(ricci_modstorage_t)
|
||||||
|
|
||||||
@ -16957,7 +17069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-07-30 15:33:09.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-03 06:49:41.000000000 -0400
|
||||||
@@ -90,7 +90,7 @@
|
@@ -90,7 +90,7 @@
|
||||||
allow $2 xauth_home_t:file manage_file_perms;
|
allow $2 xauth_home_t:file manage_file_perms;
|
||||||
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||||
@ -17105,7 +17217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -756,7 +757,26 @@
|
@@ -756,7 +757,44 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
@ -17130,10 +17242,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
+ manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
|
+ manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Search XDM var lib dirs.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`xserver_search_xdm_lib',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type xdm_var_lib_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -779,6 +799,50 @@
|
@@ -779,6 +817,50 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -17184,7 +17314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Make an X session script an entrypoint for the specified domain.
|
## Make an X session script an entrypoint for the specified domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -797,6 +861,24 @@
|
@@ -797,6 +879,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -17209,7 +17339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute an X session in the target domain. This
|
## Execute an X session in the target domain. This
|
||||||
## is an explicit transition, requiring the
|
## is an explicit transition, requiring the
|
||||||
## caller to use setexeccon().
|
## caller to use setexeccon().
|
||||||
@@ -872,6 +954,27 @@
|
@@ -872,6 +972,27 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -17237,7 +17367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Do not audit attempts to write the X server
|
## Do not audit attempts to write the X server
|
||||||
## log files.
|
## log files.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -1018,10 +1121,11 @@
|
@@ -1018,10 +1139,11 @@
|
||||||
#
|
#
|
||||||
interface(`xserver_domtrans',`
|
interface(`xserver_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -17250,7 +17380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
domtrans_pattern($1, xserver_exec_t, xserver_t)
|
domtrans_pattern($1, xserver_exec_t, xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1159,6 +1263,276 @@
|
@@ -1159,6 +1281,276 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -17527,7 +17657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Interface to provide X object permissions on a given X server to
|
## Interface to provide X object permissions on a given X server to
|
||||||
## an X client domain. Gives the domain complete control over the
|
## an X client domain. Gives the domain complete control over the
|
||||||
## display.
|
## display.
|
||||||
@@ -1172,7 +1546,103 @@
|
@@ -1172,7 +1564,103 @@
|
||||||
interface(`xserver_unconfined',`
|
interface(`xserver_unconfined',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute xserver_unconfined_type;
|
attribute xserver_unconfined_type;
|
||||||
@ -17564,7 +17694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ allow $2 $1:x_drawable all_x_drawable_perms;
|
+ allow $2 $1:x_drawable all_x_drawable_perms;
|
||||||
+ allow $1 $2:x_resource all_x_resource_perms;
|
+ allow $1 $2:x_resource all_x_resource_perms;
|
||||||
+ allow $2 $1:x_resource all_x_resource_perms;
|
+ allow $2 $1:x_resource all_x_resource_perms;
|
||||||
+')
|
')
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -17589,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ class x_selection all_x_selection_perms;
|
+ class x_selection all_x_selection_perms;
|
||||||
+ class x_event all_x_event_perms;
|
+ class x_event all_x_event_perms;
|
||||||
+ class x_synthetic_event all_x_synthetic_event_perms;
|
+ class x_synthetic_event all_x_synthetic_event_perms;
|
||||||
')
|
+')
|
||||||
+
|
+
|
||||||
+ # Type attributes
|
+ # Type attributes
|
||||||
+ typeattribute $1 x_domain;
|
+ typeattribute $1 x_domain;
|
||||||
@ -17633,7 +17763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.26/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.26/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/services/xserver.te 2009-07-30 15:33:09.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/services/xserver.te 2009-08-03 06:43:20.000000000 -0400
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -18060,7 +18190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -542,6 +650,29 @@
|
@@ -542,6 +650,30 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18068,6 +18198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ policykit_domtrans_auth(xdm_t)
|
+ policykit_domtrans_auth(xdm_t)
|
||||||
+ policykit_read_lib(xdm_t)
|
+ policykit_read_lib(xdm_t)
|
||||||
+ policykit_read_reload(xdm_t)
|
+ policykit_read_reload(xdm_t)
|
||||||
|
+ policykit_signal_auth(xdm_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -18090,7 +18221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -550,8 +681,9 @@
|
@@ -550,8 +682,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18102,7 +18233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -560,7 +692,6 @@
|
@@ -560,7 +693,6 @@
|
||||||
ifdef(`distro_rhel4',`
|
ifdef(`distro_rhel4',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
')
|
')
|
||||||
@ -18110,7 +18241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_dontaudit_search_config(xdm_t)
|
userhelper_dontaudit_search_config(xdm_t)
|
||||||
@@ -571,6 +702,10 @@
|
@@ -571,6 +703,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18121,7 +18252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -587,10 +722,9 @@
|
@@ -587,10 +723,9 @@
|
||||||
# execheap needed until the X module loader is fixed.
|
# execheap needed until the X module loader is fixed.
|
||||||
# NVIDIA Needs execstack
|
# NVIDIA Needs execstack
|
||||||
|
|
||||||
@ -18133,7 +18264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
allow xserver_t self:fd use;
|
allow xserver_t self:fd use;
|
||||||
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
allow xserver_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow xserver_t self:sock_file read_sock_file_perms;
|
allow xserver_t self:sock_file read_sock_file_perms;
|
||||||
@@ -602,9 +736,11 @@
|
@@ -602,9 +737,11 @@
|
||||||
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
allow xserver_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow xserver_t self:udp_socket create_socket_perms;
|
allow xserver_t self:udp_socket create_socket_perms;
|
||||||
@ -18145,7 +18276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
|
||||||
|
|
||||||
@@ -616,13 +752,14 @@
|
@@ -616,13 +753,14 @@
|
||||||
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
|
||||||
|
|
||||||
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
|
||||||
@ -18161,7 +18292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
|
||||||
@@ -635,9 +772,19 @@
|
@@ -635,9 +773,19 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -18181,7 +18312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
kernel_read_system_state(xserver_t)
|
kernel_read_system_state(xserver_t)
|
||||||
kernel_read_device_sysctls(xserver_t)
|
kernel_read_device_sysctls(xserver_t)
|
||||||
@@ -680,9 +827,12 @@
|
@@ -680,9 +828,12 @@
|
||||||
dev_rw_xserver_misc(xserver_t)
|
dev_rw_xserver_misc(xserver_t)
|
||||||
# read events - the synaptics touchpad driver reads raw events
|
# read events - the synaptics touchpad driver reads raw events
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
@ -18195,7 +18326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
files_read_etc_runtime_files(xserver_t)
|
files_read_etc_runtime_files(xserver_t)
|
||||||
@@ -697,8 +847,12 @@
|
@@ -697,8 +848,12 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -18208,7 +18339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
selinux_validate_context(xserver_t)
|
selinux_validate_context(xserver_t)
|
||||||
selinux_compute_access_vector(xserver_t)
|
selinux_compute_access_vector(xserver_t)
|
||||||
@@ -720,6 +874,7 @@
|
@@ -720,6 +875,7 @@
|
||||||
|
|
||||||
miscfiles_read_localization(xserver_t)
|
miscfiles_read_localization(xserver_t)
|
||||||
miscfiles_read_fonts(xserver_t)
|
miscfiles_read_fonts(xserver_t)
|
||||||
@ -18216,7 +18347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
modutils_domtrans_insmod(xserver_t)
|
modutils_domtrans_insmod(xserver_t)
|
||||||
|
|
||||||
@@ -742,7 +897,7 @@
|
@@ -742,7 +898,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
@ -18225,7 +18356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -774,12 +929,20 @@
|
@@ -774,12 +930,20 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -18247,7 +18378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
unconfined_domtrans(xserver_t)
|
unconfined_domtrans(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -806,7 +969,7 @@
|
@@ -806,7 +970,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -18256,7 +18387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -827,9 +990,14 @@
|
@@ -827,9 +991,14 @@
|
||||||
# to read ROLE_home_t - examine this in more detail
|
# to read ROLE_home_t - examine this in more detail
|
||||||
# (xauth?)
|
# (xauth?)
|
||||||
userdom_read_user_home_content_files(xserver_t)
|
userdom_read_user_home_content_files(xserver_t)
|
||||||
@ -18271,7 +18402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +1012,14 @@
|
@@ -844,11 +1013,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -18287,7 +18418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -881,6 +1052,8 @@
|
@@ -881,6 +1053,8 @@
|
||||||
# X Server
|
# X Server
|
||||||
# can read server-owned resources
|
# can read server-owned resources
|
||||||
allow x_domain xserver_t:x_resource read;
|
allow x_domain xserver_t:x_resource read;
|
||||||
@ -18296,7 +18427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# can mess with own clients
|
# can mess with own clients
|
||||||
allow x_domain self:x_client { manage destroy };
|
allow x_domain self:x_client { manage destroy };
|
||||||
|
|
||||||
@@ -905,6 +1078,8 @@
|
@@ -905,6 +1079,8 @@
|
||||||
# operations allowed on my windows
|
# operations allowed on my windows
|
||||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||||
|
|
||||||
@ -18305,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# X Colormaps
|
# X Colormaps
|
||||||
# can use the default colormap
|
# can use the default colormap
|
||||||
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
allow x_domain rootwindow_t:x_colormap { read use add_color };
|
||||||
@@ -972,17 +1147,49 @@
|
@@ -972,17 +1148,49 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
@ -19738,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+miscfiles_read_localization(iscsid_t)
|
+miscfiles_read_localization(iscsid_t)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.26/policy/modules/system/libraries.fc
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.26/policy/modules/system/libraries.fc
|
||||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-07-30 16:27:55.000000000 -0400
|
+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-08-03 07:56:50.000000000 -0400
|
||||||
@@ -60,12 +60,15 @@
|
@@ -60,12 +60,15 @@
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
@ -19925,7 +20056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
') dnl end distro_redhat
|
') dnl end distro_redhat
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -304,10 +294,91 @@
|
@@ -304,10 +294,92 @@
|
||||||
|
|
||||||
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
|
|
||||||
@ -19958,6 +20089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
|
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
+/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+
|
+
|
||||||
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||||
|
Loading…
Reference in New Issue
Block a user